Tuesday, October 26, 2021

Be Prepared: Continuity in the Face of Disaster

Have you ever put off a task till ”tomorrow” only to find that an

unscheduled event takes its place and then you miss the deadline?

Sometimes it’s easy to recovery but other times it not only makes an

impact on you, but on others.

Unfortunately, these issues happen not only in our personal lives, but in

businesses, as well.

Foresight is a virtue, to be sure. We all have heard our mothers telling

us to ”wear clean underwear without holes in case you are in an

accident.” The Boy and Girl Scouts have preached to always ”be

prepared”.

And yet, many times we just aren’t prepared.

Why?

Because it takes a conscience effort, as well as time, to plan in advance

for these type of events. In business, they are known as continuity plans

or disaster plans. Both federal agencies, as well as industry, have

identified methods and guidelines to prepare for unforeseen events. For

example, there is the National Response Plan (NRP) and the National

Incident Management System (NIMS). The NIMS encompasses the principles of

the Incident Command System (ICS), a nationally recognized incident

management system. There also is the Disaster Recovery Institute

International (DRII), which provides continuity and disaster recovery

concepts and principals.

Even with these regulations and guidance, Continutiy of Operations Plans

(COOP) are still not being viewed with great importance– although they

need to be.

For example, the terrorist attack on Sept. 11, 2001 proved that there is

significant oversight in contingency planning. Backup IT plans are not

disaster recovery plans. Getting employees quickly back to work and

performing enterprise functions after a disaster can mean the difference

between enterprise survival or failure.

”Two out of five businesses that are struck by a disaster will cease

operations within five years,” according to industry analyst firm

Gartner Inc., of Stamford, Conn.

So, how do you manage a disaster or a disruption?

In today’s uncertain environment, one of the ways to protect your

critical enterprise functions and information is through development and

maintenance of an enterprise continuity plan. No longer can we assume

that if IT has a back up plan, we are secure and safe.

One misconception is that the IT systems are the business functions.

This is a false, and often fatale, conception. IT systems support the

enterprise functions. Enterprise functions depend on IT systems to

complete the tasks associated with the function or mission of the

business. Therefore, enterprises require a continuity plan. An Enterprise

Continuity Plan (ECP) encompasses more than the information technology

(IT) — it includes the enterprise functions, processes, people and

assets.

Continuity of Operations Planning (COOP) processes and documents have

been developed for many years, focusing solely on the IT level and

failing to recognize the importance of the functionality level of an

enterprise. A good COOP process should provide an enterprise

infrastructure with reasonable methods to prevent, respond, resume,

recover, and restore services at the enterprise functionality level

should events occur which prevent or disrupt normal operations.

A basic COOP should include a business impact analysis, a concise plan

that identifies backup and recovery strategies, an implementation plan to

ensure the backup data site is operational, the personnel site has been

identified and the appropriate agreements are in place. The COOP also

needs to be tested at least yearly. And, no, testing does not include

those actual events when a COOP goes into effect.

In addition, COOP exercises and maintenance also should be addressed in

the overall plan. Testing and exercising the plan can be accomplished

through various methods. A desktop exercise is where personnel review the

plan and identify any weaknesses. Another method is a walkthrough,

whereby a panel gets together and ”walks through” the plan to identify

weaknesses.

The most complete method is the simulation, though it requires

resources. A simulation tests the COOP completely. Simply put, a disaster

is simulated and the plan is put to the test. Only the minimum number of

people should know that a simulation will take place, otherwise the

results will be false.

The plan is a living document, meaning that it should be updated

regularly to meet its objectives. There are many issues which would cause

a COOP to require an update. Any results or lessons learned from testing

will require an update to the COOP. New systems or business processes

will need to be added to the COOP.

Only by keeping the COOP up to date, can it be effective.

This type of approach provides an overall plan that will mitigate risk by

providing the ability to continue critical enterprise operations in the

event of a contingency and cultivates a risk management culture focusing

on continuance, not just recovery.

Contingency plans are important to us all — not only in our private

lives, but in our professional lives. Without a plan, chaos will become

the only thing you have going when disaster strikes. Wouldn’t you rather

know where you want to be and how to get there than leave it up to

chance?

The only way to accomplish that is to have a solid and tested COOP. And,

of course, wearing clean underwear.

Similar articles

Latest Articles